Privacy Policy

Last updated: May 18, 2026

The operator of the Inner Battery application (the "App"), available at innerbattery.com, is:

Inner Battery s.r.o., IČO: 24526746, sídlo: Nové sady 988/2, Staré Brno, 602 00 Brno
Contact email: info@innerbattery.com

Inner Battery s.r.o. acts as the data controller within the meaning of the General Data Protection Regulation (GDPR).

1. What data we collect

Data	Purpose	Legal basis
Email address	Login and user identification	Contract performance
Nickname	Display in the app to other users	Contract performance
Avatar (numeric code)	Visual identification in friends list	Contract performance
Country code	Language and currency settings	Legitimate interest
Language	Displaying the app in the correct language	Legitimate interest
Messages (text up to 160 characters)	Core app function – sending messages	Contract performance
Friends list	Social features of the app	Contract performance
Payment data (Paddle)	Processing gift battery purchases	Contract performance
Device hash (SHA-256)	Abuse protection (limiting anonymous messages)	Legitimate interest
Browser user agent	Device identification for abuse prevention	Legitimate interest
Abuse audit records (incl. content of reported message)	Abuse moderation, review of ban legitimacy	Legitimate interest (Art. 6(1)(f))
Usage statistics (counts of sent messages, friends, thanks, bans, last activity date)	Engagement measurement, battery state calculation, abuse protection	Legitimate interest
Paddle customer ID + Paddle address ID	Reference to billing address stored at Paddle (for tax documents)	Contract performance + tax obligations
Operational debug records (auth/payment/offline queue errors) with user identifier	Diagnostics and troubleshooting	Legitimate interest
Record of consent to terms (date + per-item: age 16+, Terms of Service, Privacy Policy)	Proof of valid granular consent with three explicit user affirmations	Compliance with legal obligation (Art. 7(1) GDPR)
Email hash of deleted accounts (SHA-256, pseudonymized)	Preventing repeated abuse of the free trial (creating new accounts on the same email to reset the trial)	Legitimate interest (Art. 6(1)(f)) — abuse prevention

2. What we do NOT collect

Full name or surname
Home address
Phone number
IP addresses are not stored or retained; they may be briefly processed technically when establishing a connection to the server
Precise location (only country code from browser settings)
Payment card details (processed directly by Paddle, never reach our servers)
Special categories of personal data under Article 9 GDPR — we do not process data on health, sexual orientation, political opinions, religious beliefs, racial or ethnic origin, biometric or genetic data

3. How we use your data

We use your data exclusively for:

Operating the app and its core features (login, messaging, friends list)
Processing payments for premium features
Protecting against abuse (limiting anonymous messages)

Where we rely on legitimate interest as a legal basis (country code, language, device hash, user agent), our legitimate interest consists in protecting the App against abuse and ensuring platform security and quality (e.g. limiting anonymous messages per device, correct language settings). We have conducted a balancing test to ensure that your rights and freedoms are not overridden by our interests.

We do not sell your personal information and do not share your data with third parties for marketing purposes. (CCPA/CPRA mandatory disclosure for California residents.)

Marketing emails. We currently do not send you any marketing or promotional communications. We only send transactional emails (sign-in, purchase confirmations, token expiration notices, GDPR notifications). If we introduce a newsletter or marketing communication in the future, we will comply with:

Opt-in consent per GDPR Art. 7 and applicable national e-privacy laws (no automatic enrollment)
Unsubscribe link in every email (per CAN-SPAM Act, CASL Canada, EU ePrivacy)
Record of consent including date and context of granting

4. Data processors (third parties)

Service	Purpose	Location
Google Firebase (Auth, Firestore, Functions)	App infrastructure, data storage, and server-side logic	EU (europe-north1 and europe-west1 regions)
Paddle.com Market Limited	Payment processing (Merchant of Record)	United Kingdom
Google (Sign-In)	Authentication via Google account	USA
Apple (Sign in with Apple)	Authentication via Apple account	USA/Ireland

App data (user profiles, messages, friends in Firestore and Cloud Functions) is stored primarily in EU regions (Google Cloud europe-north1 and europe-west1).

Sign-In providers (Google, Apple) may process authentication data in the USA. Data transfers to the USA comply with the EU-US Data Privacy Framework (DPF), or other appropriate safeguards under Article 46 GDPR, in particular Standard Contractual Clauses (SCCs) approved by the European Commission.

Paddle.com Market Limited (based in the United Kingdom) processes payments as Merchant of Record worldwide — for tax and payment purposes, Paddle is your contractual seller regardless of your country of residence. Paddle complies with GDPR, UK GDPR, and other regional privacy standards, and maintains its own privacy policy (paddle.com/legal/privacy). The UK has an adequacy decision from the EU.

For users outside the EU: by using the service, you consent to the transfer of your data to the EU for processing. For some jurisdictions (e.g., China under Art. 39 PIPL), this constitutes explicit consent to cross-border transfer.

5. Data stored in your browser

All local storage used by the app is strictly necessary for the operation of the service (authentication, offline use, local cache). We do not use analytics or marketing tracking. Under the ePrivacy Directive 2002/58/EC, we therefore do not require explicit consent for storage (strictly necessary storage is exempt).

The app stores the following data locally in your browser (localStorage, IndexedDB) for faster performance and offline use:

Language and currency preferences
Friends list and gift batteries cache
Notification read status and activated message markers
Offline queue of undelivered messages (synced when connection is restored)
PWA install indicators and onboarding flags
Firebase Auth IndexedDB – authentication token, so the app does not require you to log in repeatedly
Firestore persistent cache – up to 10 MB local copy of your data (messages, friend profiles, …) for offline functionality

This data never leaves your device (except for synchronization of messages from the offline queue when connection is restored) and can be deleted at any time by clearing your browser data.

6. Data retention

Data	Retention period
User account and profile	Until account deletion by user, or automatically 90 days after license expiration
Messages	Until account deletion by user, or automatically 90 days after license expiration
Temporary message links	24 hours to 30 days (depending on type)
Gift tokens	90 days from purchase (unredeemed token expiration)
Payment records	As required by law (minimum 10 years). Upon account deletion, a snapshot of email and nickname is stamped into these records for accounting trail.
Abuse / ban audit records	Maximum 90 days from the event, then automatically deleted
Operational debug logs	Maximum 90 days (aligned with cleanupDebugLogs scheduled CF)
Record of consent to terms (email, consent date, deletion-request date and deletion date, terms version)	For the duration of the account + 3 years after deletion. After account deletion we retain a minimal proof of the consent given (incl. email) on the basis of GDPR Art. 17(3)(e) (establishment, exercise or defence of legal claims — e.g. a dispute "I never agreed"). Stored separately, accessible to the controller only, and automatically deleted after 3 years.

7. Your rights (under GDPR)

You have the right to:

Access – request a copy of your data
Rectification – correct inaccurate data
Erasure – request deletion of your account and all data (Art. 17). You initiate the request in the app under "Your Battery" → "Delete account". We send you a confirmation email with a link (valid for 1 hour). After confirmation, your account enters a 7-day cancellation window during which you can cancel deletion with a single click in the app. After 7 days, an automated process performs the final deletion of all your personal data. If you require immediate deletion without the waiting period (e.g. for serious reasons), please contact us at info@innerbattery.com.
Portability – obtain your data in a machine-readable format
Restriction – request restriction of processing (Art. 18)
Object – object to processing based on legitimate interest (Art. 21). We will then assess whether our legitimate grounds override your interests.
Withdraw consent – where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal
Lodge a complaint with the Czech Office for Personal Data Protection (uoou.cz) or your local supervisory authority within the EU/EEA

To exercise your rights, contact us at: info@innerbattery.com. We accept requests in Czech or English.

How to exercise your rights:

Request format: Email to info@innerbattery.com with the subject "GDPR request — [type: access / erasure / rectification / portability / restriction / objection]" and the email address you registered with.
Identity verification: For your protection, we may require additional verification (typically a confirmation email sent to your registered address) — usually within 1-2 days.
Response timeline: Free of charge within 1 month of receipt (per Article 12(3) GDPR). In complex cases we may extend by an additional 2 months — we will always inform you of the extension within 1 month with reasons.
Export format: For the right to portability (Art. 20 GDPR), we provide data in a structured, commonly used, and machine-readable format (JSON).
Repeated or manifestly unfounded requests: We may refuse or charge a reasonable fee per Article 12(5) GDPR.

8. Automated decision-making and AI

We do not carry out automated decision-making or profiling within the meaning of Article 22 GDPR.

AI systems: We currently do not use any AI systems to process your personal data. If we introduce AI assistance in the future (e.g., automated complaint processing or content moderation), we will inform you transparently in accordance with the EU AI Act (Regulation 2024/1689) and provide you the option to request human review.

9. Security

Your data is protected by:

Encryption in transit — HTTPS/TLS for all communication between the App and servers
Encryption at rest — Google Cloud automatically encrypts data stored in Firestore and Cloud Functions at the storage layer
Firebase security rules (Firestore Security Rules) for authorization of data access
Hashing of sensitive identifiers (SHA-256) for device hash and pseudonymization
Payment data processed exclusively by Paddle, certified PCI DSS Level 1 — payment card details never reach our servers

In the event of a personal data breach:

Supervisory authority notification — We will notify the Czech Office for Personal Data Protection (ÚOOÚ) within 72 hours of becoming aware of the breach pursuant to Article 33 GDPR (where the breach is likely to result in a risk to your rights and freedoms).
Affected users notification — If the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay via email and in-app notification pursuant to Article 34 GDPR.
Incident record — All incidents (including those below the notification threshold) are documented internally pursuant to Article 33(5) GDPR.

10. Safety and abuse moderation

The app allows users to report inappropriate messages (the "delete from battery" feature with the ban author option). To enable subsequent review of these reports and protect other users, we retain an audit record of each such event:

identifier of the reporting user
identifier of the banned user
identifier and metadata of the reported message (date, language, type)
content of the reported message (max. 160 characters) — primary basis for moderation review
event timestamp

Legal basis: Legitimate interest under Art. 6(1)(f) GDPR – protecting users against abuse and harassment, and reviewing repeated unjustified bans.

Retention: Maximum 90 days from the event. After this period, audit records are automatically and irreversibly deleted.

Access: Audit records are accessible only to the application administrator (Inner Battery s.r.o.) for moderation purposes. They are not shared with third parties.

Your rights: If you wish to know whether an audit record has been created relating to you, or request its erasure under Art. 17 GDPR, contact us at info@innerbattery.com. When you delete your account (Art. 17), all audit records where you appear as reporter or banned user are automatically erased.

11. Children

The app is not intended for children under 16. We do not knowingly collect data from children. If we discover that we have collected data from a child, we will promptly delete it.

If you reside in a jurisdiction where the minimum age for providing consent differs, the higher age requirement under applicable law applies.

12. Changes to this policy

We will notify you of material changes to this policy via an in-app announcement. By continuing to use the app after changes are published, you agree to the updated policy.

13. International users and regional rights

The app is available globally. Inner Battery s.r.o. (based in the Czech Republic) is the data controller within the meaning of GDPR. Depending on your country of residence, additional mandatory rights may apply. To exercise any rights, contact info@innerbattery.com — we accept requests in Czech or English.

Region	Applicable law	Key rights (beyond GDPR)	Complaint authority
🇪🇺 EU/EEA	GDPR + national transpositions	Full rights under Art. 12–22 (see §7)	National DPA or Czech ÚOOÚ (uoou.cz)
🇬🇧 UK	UK GDPR + DPA 2018	Same as EU	ICO (ico.org.uk)
🇺🇸 USA — CA, VA, CO, CT, UT, TX, OR, FL and others	CCPA/CPRA + state privacy laws	Opt-out of sale (we don't sell), opt-out of sharing for advertising, "Right to know"	State AG or CPPA (California)
🇯🇵 Japan	APPI (rev. 2022)	Disclosure, correction, suspension of use	PPC (ppc.go.jp)
🇨🇳 China	PIPL (2021)	Cross-border consent — data transferred to EU for processing; your use = explicit consent under Art. 39 PIPL	CAC (cac.gov.cn)
🇰🇷 Korea	PIPA	Access, correction, deletion, opt-out	PIPC (pipc.go.kr)
🇧🇷 Brazil	LGPD	Rights similar to GDPR	ANPD (gov.br/anpd)
🇨🇦 Canada	PIPEDA + Quebec Law 25	Access, correction, withdrawal of consent	OPC (priv.gc.ca)
🇦🇺 Australia	Privacy Act + APPs	Access, correction	OAIC (oaic.gov.au)
Other (India DPDP, Singapore PDPA, South Africa POPIA, …)	Local privacy laws	We endeavor to respect the substance — contact info@	Local regulator

Local representatives: we currently have no designated regional representatives (CCPA agent, Japan APPI representative, PIPL local representative, etc.). We will establish local representation as the user base grows in each region.